All Versions
Latest Version
Avg Release Cycle
52 days
Latest Release
11 days ago

Changelog History
Page 1

  • v5.0.0.pre1

    November 17, 2020
    • โž• Add check for (more) unsafe method reflection
    • ๐Ÿš… Suggest using --force if no Rails application is detected
    • โž• Add Sonarqube report format (Adam England)
    • โž• Add check for potential HTTP verb confusion
    • โž• Add --[no-]skip-vendor option
    • ๐Ÿ’Ž Scan (almost) all Ruby files in project
    • โž• Add support for Haml 5.2.0
  • v4.10.0

    September 28, 2020
  • v4.9.1

    September 04, 2020
    • ๐Ÿš… Use version from active_record for non-Rails apps (Ulysse Buonomo)
    • Check chomped strings for SQL injection (#1509)
    • Always set line number for joined arrays (#1499)
    • Avoid warning about missing attr_accessible if protected_attributes gem is used (#1512)
    • โœ… Bundle latest ruby_parser (4.15.0)
  • v4.9.0

    August 04, 2020
    • โž• Add --ensure-ignore-notes (Eli Block)
    • โž• Add check for user input in (Matt Hickman)
    • โž• Add check for CVE-2020-8166 (Jamie Finnigan)
    • Always scan environment.rb
    • โš  Avoid warning when safe_yaml is used via YAML.load(..., safe: true)
    • Do not warn about mass assignment with params.permit!.slice
    • Ignore params.permit! in path helpers
    • Treat Dir.glob as safe source of values in guards
    • โœ‚ Remove whitelist/blacklist language, add clarifications
    • โž• Add "full call" information to call index results
    • โšก๏ธ Updated Slim dependency (Jeremiah Church)
  • v4.8.2

    May 12, 2020
    • โž• Add --text-fields option
    • โž• Add check for CVE-2020-8159
    • โž• Add check for escaping HTML entities in JSON configuration option
    • Fix authenticate_or_request_with_http_basic check for passed blocks (Hugo Corbucci)
  • v4.8.1

    April 06, 2020
    • Warn about global(!) mass assignment
    • Check SQL query strings using String#strip or String.squish (#1459)
    • ๐Ÿ– Handle non-symbol keys in locals hash for render (#1465)
    • Index calls in render arguments (#1459)
  • v4.8.0

    February 18, 2020
    • โž• Add JUnit XML report format (Naoki Kimurai)
    • ๐Ÿ–จ Sort ignore files by fingerprint and line (Ngan Pham)
    • Catch dangerous concatenation in CheckExecute (Jacob Evelyn)
    • ๐Ÿ‘‰ User-friendly message when ignore config file has invalid JSON (D. Hicks)
    • Freeze call index results, fix thread-safety issue
    • Properly render confidence in Markdown report (#1446)
    • โš  Report old warnings as fixed if zero warnings reported
    • ๐ŸŽ‰ Initialize Rails version with nil (Carsten Wirth)
    • ๐Ÿ›  Fix output test when using newer Minitest
  • v4.7.2

    November 25, 2019
    • โž• Add request.params as query parameters (#1398)
    • ๐Ÿ– Handle more permit! cases (#1426)
    • โœ‚ Remove version guard for named_scope vs. scope
    • Find SQL injection in String#strip_heredoc target (#1433)
    • Ensure file name is set when processing models
    • ๐Ÿ“œ Bundle ruby_parser version 3.14.1 (#1429)
  • v4.7.1

    October 29, 2019
    • Sort text report by file and line (Jacob Evelyn)
    • Catch reverse tabnabbing with :_blank symbol (Jacob Evelyn)
    • Convert s(:lambda) to s(:call) in Sexp#block_call (#1410)
    • Check string length against limit before joining
    • ๐Ÿ›  Fix flaky rails4 test (Adam Kiczula)
    • ๐Ÿ›  Fix errors from frozen Symbol#to_s in Ruby 2.7
    • โž• Add release dates to each version in CHANGES (TheSpartan1980)
  • v4.7.0

    October 16, 2019
    • โšก๏ธ Update Haml support to Haml 5.x (#1044)
    • Catch shell injection from -c shell commands (Jacob Evelyn)
    • Correctly handle non-symbols in CheckCookieSerialization (Phil Turnbull)
    • โ™ป๏ธ Refactor Brakeman::Differ#second_pass (Benoit Cรดtรฉ-Jodoin)
    • ๐Ÿ›  Fix version_between? (Andrey Glushkov)
    • Ignore interpolation in %W[] (#1399)
    • Ignore form_for for XSS check